From owner-freebsd-current@FreeBSD.ORG Sat Jul 23 11:07:32 2005 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F2E8216A41F for ; Sat, 23 Jul 2005 11:07:31 +0000 (GMT) (envelope-from eculp@bafirst.com) Received: from bafirst.com (72-12-2-214.wan.networktel.net [72.12.2.214]) by mx1.FreeBSD.org (Postfix) with ESMTP id 969F243D45 for ; Sat, 23 Jul 2005 11:07:31 +0000 (GMT) (envelope-from eculp@bafirst.com) Received: from localhost (localhost [127.0.0.1]) (uid 80) by bafirst.com with local; Sat, 23 Jul 2005 06:07:31 -0500 id 00095803.42E224F3.00008E71 Received: from dsl-201-144-87-77.prod-infinitum.com.mx (dsl-201-144-87-77.prod-infinitum.com.mx [201.144.87.77]) by mail.bafirst.com (Horde MIME library) with HTTP; Sat, 23 Jul 2005 06:07:30 -0500 Message-ID: <20050723060730.3u9qtdrdogkcwog4@mail.bafirst.com> Date: Sat, 23 Jul 2005 06:07:30 -0500 From: eculp@bafirst.com To: freebsd-current@freebsd.org References: <20050722180621.qj8w6e47i8gkwk88@mail.bafirst.com> In-Reply-To: <20050722180621.qj8w6e47i8gkwk88@mail.bafirst.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) 4.1-cvs Subject: Re: I just installed pf on a new server w/current and nat doesn't seem to work. X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jul 2005 11:07:32 -0000 Problem fixed. Thanks ed Quoting eculp@bafirst.com: > My major problem is that I am over 2500 miles from the server and in > another country. I have configured a current box with the idea of > stoping at 6.0 but that is another issue. > > It would seem that pf nat isn't working. The machines on the lan > pickup there configuration from dhcpd and can ping their gateway > 192.168.1.1 (em0 on the server) and 65.81.102.2 (em1 on the server) > but cannot ping 65.81.102.1 the server's gateway. It would seem that > there are issues with either ip forwarding or pf nat. when I do a > pfctl -vv -s Interfaces I get all zeros even though I am creating > traffic on the server. That doesn't seem to be right. > > My configurations follow. I would sure appreciate any suggestions > because I'm afraid that I've missed something. That is usually the > case with problems like this. > > # sysctl net.inet.ip.forwarding > net.inet.ip.forwarding: 1 > > /etc/pf.conf: > > int_if = "em0" > ext_if = "em1" > > udp_services = "{ 53 }" > tcp_services = "{ 22, 25, 53, 80, 110, 113, 123, 143, 389, 3128 }" > icmp_types = "echoreq" > priv_nets = "{ 0.0.0.0/8, 20.20.20.0/24, 169.254.0.0/16, 127.0.0.0/8, > 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 224.0.0.0/3 }" > > # options > set block-policy return > set loginterface $ext_if > > # scrub > scrub in all > > # nat/rdr > nat on $ext_if from $int_if:network to any -> ($ext_if) > rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128 > > # filter rules > block all > pass quick on lo0 all > block drop in quick on $ext_if from $priv_nets to any > block drop out quick on $ext_if from any to $priv_nets > pass in on $ext_if inet proto udp from any to ($ext_if) port > $udp_services keep state > pass in on $ext_if inet proto tcp from any to ($ext_if) port > $tcp_services flags S/SA keep state > pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state > pass out on $ext_if inet proto tcp from any to any port www keep state > pass in inet proto icmp all icmp-type $icmp_types keep state > pass in on $int_if from $int_if:network to any keep state > pass out on $int_if from any to $int_if:network keep state > pass out on $ext_if proto tcp all modulate state flags S/SA > pass out on $ext_if proto { udp, icmp } all keep state > > rc.conf: > ifconfig_em0="inet 192.168.1.1 netmask 255.255.255.0" > ifconfig_em1="inet 65.81.102.2 netmask 255.255.255.248" > defaultrouter="65.81.102.1" gateway_enable="YES" pf_enable="YES" > pf_rules="/etc/pf.conf" > pf_program="/sbin/pfctl" > pf_flags="" > pflog_enable="YES" > pflog_logfile="/var/log/pflog" > pflog_program="/sbin/pflogd" > pflog_flags="" > > > # PF Kernel Config > > device pf > device pflog > device pfsync > options ALTQ > options ALTQ_CBQ > options ALTQ_RED > options ALTQ_RIO > options ALTQ_HFSC > options ALTQ_CDNR > options ALTQ_PRIQ > > Where else could it be? I have several other machines that have very > similar configurations and with no problems, of course they are all > within a 2 hour drive ;) > > Thanks for any help or suggestions. > > ed > > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" >